Over coming obstacles can be challenging, yet rewarding. With the pain and suffering endured during the process, makes for a better story.
I’m a fan of the outdoors, I’ll admit that to the internet. Now my body on the other hand, it’s a fan of the couch. So when I get the idea of doing something physical, you can bet my body will think that is a bad idea. I went on a hike today, a short 6 miles through a moderate mountain range, a few breaks here and there to provide some comfort to the body. I even gave it a warning last week by starting on a smaller 2 mile hike. Well apparently my load was a bit too cumbersome and now I can hardly get to standing up or raising my arm above my head.
The same thing could be said about trying to find out about an elusive group policy issue. When things don’t work as you know they should, it isn’t always the fact that you have group policy setup incorrectly, maybe something more is wrong.
Before leaving one day I dropped by a coworkers desk. He was drilling away setting up a new group policy for some new terminal servers for an outside company. They have been plagued pretty much with BSODs since they were put in and they asked us to setup the group policy lock down for them. My coworker had spent over an hour getting the group policy setup just right to lock down everything under the sun, it was totally sexy.
With a test user he kept logging in and the user seemed to be able to do things that they should not be able to do. The Manage Your Server screen kept popping up as well as Administration Tools in the start menu. Something was definitely wrong. After double checking everything, we enabled the run bar and rant he command gpresult. We double checked all the policies that were being applied, I also noticed something that I’ve seen using this, but never really paid too much attention too. It also showed applied permissions. Oh, this is interesting!
We found that this user had built-in\Administrators access. We checked the local permissions and it only had local Administrator and Domain admins permissions. We double checked the users’ permission and it only had domain users. We went back to our gpresult and we also found that they had Domain Administrator privileges. Wait, what?!
We brought up dsa.msc to check the built in security groups for the domain, and what about floored us was that we found Domain Users in the Domain Administrators group. Not only did they have elevated privileges on the terminal server. They had free range to, well, ANYTHING that they might have had the curiosity to try and figure out.
This explains all the strange software being installed on the server, which who knows how it was being installed, as well as the random almost daily BSOD that happened on them.
We told the local administrator of the site about it and he seemed completely shocked and never even thought to check on that. As painfull as that was to walk through, you definitely learn a lot of great trouble shooting tools and made for quite a colorful story.
